Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Purchased Used System - May Have Malware [Solved]

Started by joseph456 , May 16 2012 07:41 PM

  • This topic is locked This topic is locked

#1
joseph456
Posted 16 May 2012 - 07:41 PM

joseph456

    Member

  • Member
  • PipPipPip
  • 455 posts
Macboatmaster recommended I post here first and provide link to thread:

http://www.geekstogo...45#entry2157645

Thanks for your help.

OTL Logs as requested:

OTL Text

OTL logfile created on: 5/16/2012 9:28:12 PM - Run 1
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.73% Memory free
3.82 Gb Paging File | 3.40 Gb Available in Paging File | 89.09% Paging File free
Paging file location(s): C:\pagefile.sys 2016 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 20.22 Gb Free Space | 54.27% Space Free | Partition Type: NTFS

Computer Name: OWNER-FE8C2F80E | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/16 21:26:27 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2012/04/20 21:18:58 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/03/08 22:27:34 | 001,600,560 | ---- | M] (Total Defense, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\casc.exe
PRC - [2012/03/08 22:27:33 | 000,252,976 | ---- | M] (Total Defense, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
PRC - [2012/03/08 22:27:33 | 000,207,920 | ---- | M] (Total Defense, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
PRC - [2011/10/17 15:23:55 | 000,206,152 | ---- | M] (CA) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\CAAMSvc.exe
PRC - [2011/10/13 23:01:35 | 000,222,544 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
PRC - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/15 23:48:06 | 008,797,856 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll
MOD - [2012/05/15 07:43:43 | 000,221,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.ServiceProce#\35da2da22db8fde344d9e17b20a91816\System.ServiceProcess.ni.dll
MOD - [2012/05/15 07:43:22 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\94b346f2ab12d38efb1331ded5783396\System.Runtime.Remoting.ni.dll
MOD - [2012/05/15 07:43:19 | 000,787,456 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\bb40644f323a93fa9bc09be350918ef3\System.EnterpriseServices.ni.dll
MOD - [2012/05/15 07:43:18 | 000,649,728 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Transactions\67a386434938003bceb0752e979dabb3\System.Transactions.ni.dll
MOD - [2012/05/15 00:19:54 | 006,815,232 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Data\99d0f7ba920eea1117e45dcd9fec0eb5\System.Data.ni.dll
MOD - [2012/05/15 00:19:28 | 005,617,664 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\d1f299160424bad90fe9f658661389e2\System.Xml.ni.dll
MOD - [2012/05/15 00:19:17 | 013,197,312 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\9ee9841d9e33fe5dceba4cd7d90f2ae0\System.Windows.Forms.ni.dll
MOD - [2012/05/15 00:19:17 | 000,982,528 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuration\623d2a0f11dd82bb9bc13d1cb981b239\System.Configuration.ni.dll
MOD - [2012/05/15 00:19:09 | 007,069,184 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Core\ed91b57205429a23bb91f4499059a459\System.Core.ni.dll
MOD - [2012/05/15 00:18:50 | 001,665,536 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\03b5233f1511f5fdb39eb681b04e5506\System.Drawing.ni.dll
MOD - [2012/05/15 00:18:46 | 009,091,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\6f9f0467e8b2dd3f69b015c8e30ac945\System.ni.dll
MOD - [2012/05/15 00:18:30 | 014,412,800 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\3953b1d8b9b57e4957bff8f58145384e\mscorlib.ni.dll
MOD - [2012/05/14 21:58:44 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\pdf995mon.dll
MOD - [2012/04/20 21:19:01 | 001,952,696 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/03/08 22:27:34 | 000,589,824 | ---- | M] () -- C:\Program Files\CA\CA Internet Security Suite\log4cplusU.dll
MOD - [2011/10/17 15:23:55 | 000,222,536 | ---- | M] () -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\Flipster.dll
MOD - [2008/09/16 20:18:06 | 000,132,608 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/04/20 21:19:00 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/08 22:27:33 | 000,252,976 | ---- | M] (Total Defense, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)
SRV - [2012/03/08 22:27:33 | 000,207,920 | ---- | M] (Total Defense, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe -- (ccSchedulerSVC)
SRV - [2011/10/25 10:59:16 | 000,244,960 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe -- (Updater Service for StartNow Toolbar)
SRV - [2011/10/17 15:23:55 | 000,206,152 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\CAAMSvc.exe -- (CAAMSvc)
SRV - [2011/10/13 23:01:35 | 000,222,544 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe -- (CAISafe)
SRV - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2011/04/04 12:42:28 | 000,662,096 | ---- | M] (CA) [Disabled | Stopped] -- C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe -- (UmxEngine)
SRV - [2010/05/18 16:13:58 | 000,935,208 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2011/10/27 17:07:50 | 000,170,064 | ---- | M] (Total Defense) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\KmxAMRT.sys -- (KmxAMRT)
DRV - [2011/10/26 13:51:22 | 000,083,536 | ---- | M] (CA) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\KmxAgent.sys -- (KmxAgent)
DRV - [2011/09/06 23:03:36 | 000,331,344 | ---- | M] (CA) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\KmxCfg.sys -- (KmxCfg)
DRV - [2011/09/06 23:03:36 | 000,123,984 | ---- | M] (CA) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\KmxStart.sys -- (KmxStart)
DRV - [2011/08/09 17:33:58 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2005/11/10 03:47:00 | 000,922,148 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/08/09 22:35:42 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/10/14 16:05:28 | 000,252,144 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2003/07/17 17:40:06 | 000,265,728 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {FCE686FB-8DF7-4E4A-8CD8-84EB0245EAAC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{FCE686FB-8DF7-4E4A-8CD8-84EB0245EAAC}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/?ilc=14
IE - HKCU\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...00000904bcce900
IE - HKCU\..\SearchScopes\{380F19BF-BC9C-7AE2-58D1-54D845E090F3}: "URL" = http://www.bing.com/...eferrer:source}
IE - HKCU\..\SearchScopes\{B291BCC3-9CE2-4804-BF5E-506DB4F7F50A}: "URL" = http://search.yahoo....erms}&fr=mkg114
IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....erms}&fr=chr-ca
IE - HKCU\..\SearchScopes\{EBDBB365-2609-4078-A7C3-D98283187A56}: "URL" = http://websearch.ask...AE-F2A8BBA58ABA
IE - HKCU\..\SearchScopes\{FCE686FB-8DF7-4E4A-8CD8-84EB0245EAAC}: "URL" = http://www.google.co...1I7ADRA_enUS456
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co...Domain=usa.net"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/14 21:34:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/05/14 21:34:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2012/05/16 21:28:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\de1io1lr.default\extensions
[2012/05/16 00:56:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/16 00:56:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012/05/15 20:15:56 | 000,049,419 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DE1IO1LR.DEFAULT\EXTENSIONS\{9125C9CB-BE2B-4389-A0C7-46A4BDD46AEA}.XPI
[2012/04/20 21:19:34 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/20 21:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/20 21:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/05/07 12:49:22 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll ()
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (PricePeep) - {FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} - C:\Program Files\PricePeep\pricepeep.dll (PricePeep)
O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe (Total Defense, Inc.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1318284984953 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1330987614109 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {9C65AB3E-C9A8-4789-AE24-B365A1C4A6F9} http://gateway-us.cu...tivex/snret.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D25C92C6-0F60-4225-8714-F39218DF1473}: DhcpNameServer = 192.168.1.1 71.252.0.12
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/10/10 17:00:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/16 21:26:23 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/05/16 01:24:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2012/05/16 00:56:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/05/16 00:15:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\(owner-fe8c2f80e)_files
[2012/05/15 23:13:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/05/15 23:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2012/05/15 23:12:56 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2012/05/15 23:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\etc
[2012/05/15 20:49:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Revo Uninstaller
[2012/05/15 20:36:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2012/05/15 20:36:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/15 20:36:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/05/15 20:36:30 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/05/15 20:36:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/05/15 08:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\TurboTax
[2012/05/15 08:21:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Intuit
[2012/05/15 08:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\IsolatedStorage
[2012/05/15 08:06:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Intuit
[2012/05/15 08:03:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TurboTax 2011
[2012/05/15 08:01:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intuit
[2012/05/15 08:01:02 | 000,000,000 | ---D | C] -- C:\Program Files\TurboTax
[2012/05/15 08:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2012/05/14 23:33:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\CleanUp!
[2012/05/14 23:33:53 | 000,000,000 | ---D | C] -- C:\Program Files\CleanUp!
[2012/05/14 23:19:57 | 000,000,000 | ---D | C] -- C:\Program Files\FileHippo.com
[2012/05/14 22:00:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\pdf995
[2012/05/14 22:00:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\pdf995
[2012/05/14 21:58:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2012/05/14 21:58:44 | 001,667,072 | ---- | C] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll
[2012/05/14 21:58:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Software995
[2012/05/14 21:58:42 | 000,000,000 | ---D | C] -- C:\Program Files\pdf995
[2012/05/14 21:40:58 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc
[2012/05/14 21:36:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2012/05/14 21:34:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla
[2012/05/14 21:34:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2012/05/14 21:34:27 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/05/14 21:34:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/05/14 21:34:21 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/05/14 21:31:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/05/14 20:44:57 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2012/05/14 15:08:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\SlimWare Utilities Inc
[2012/05/14 15:08:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SlimCleaner
[2012/05/14 15:08:17 | 000,000,000 | ---D | C] -- C:\Program Files\SlimCleaner
[2012/05/14 15:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Downloaded Installers
[2012/05/14 14:57:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Windows Search
[2012/05/14 14:05:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Auslogics
[2012/05/14 14:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
[2012/05/14 14:05:48 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2012/05/14 13:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Defraggler
[2012/05/14 13:33:05 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2012/05/14 13:28:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Speccy
[2012/05/14 13:28:40 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2012/05/14 13:24:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2012/05/14 13:24:28 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/05/14 13:15:05 | 000,000,000 | ---D | C] -- C:\Program Files\HD Tune
[2012/05/14 13:15:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HD Tune
[2012/05/14 13:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\My Downloads
[2012/05/07 12:49:04 | 000,000,000 | ---D | C] -- C:\cabs
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/16 21:26:27 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/05/16 20:35:13 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/16 20:34:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/16 20:31:14 | 000,057,292 | ---- | M] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc
[2012/05/16 20:31:14 | 000,048,169 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0
[2012/05/16 20:31:14 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7
[2012/05/16 20:31:14 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6
[2012/05/16 20:31:14 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5
[2012/05/16 20:31:14 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4
[2012/05/16 20:31:14 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3
[2012/05/16 20:31:14 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2
[2012/05/16 20:31:14 | 000,000,085 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1
[2012/05/16 20:31:14 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7
[2012/05/16 20:31:14 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6
[2012/05/16 20:31:14 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5
[2012/05/16 20:31:14 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4
[2012/05/16 20:31:14 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3
[2012/05/16 20:31:14 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2
[2012/05/16 20:31:14 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1
[2012/05/16 20:31:14 | 000,000,049 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0
[2012/05/16 01:27:16 | 000,480,256 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\store-pp.db
[2012/05/16 00:26:05 | 000,000,163 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\default.rss
[2012/05/16 00:26:01 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/05/16 00:16:01 | 000,000,059 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2012/05/16 00:15:26 | 000,174,268 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\(owner-fe8c2f80e).html
[2012/05/15 23:12:57 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2012/05/15 23:07:18 | 000,002,457 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Ebay Problem.rtf
[2012/05/15 21:57:18 | 000,000,508 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\EBay Computer.rtf
[2012/05/15 20:53:04 | 000,101,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/15 20:49:21 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Revo Uninstaller.lnk
[2012/05/15 20:43:01 | 000,000,506 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Cancel-Renew Index - TV Ratings, Nielsen Ratings, Television Show Ratings TVbytheNumbers.com.url
[2012/05/15 20:36:31 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/15 08:22:27 | 000,000,590 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2012/05/15 00:16:43 | 000,523,992 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/15 00:16:43 | 000,095,868 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/14 23:27:51 | 000,000,606 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook Web Access.url
[2012/05/14 23:26:03 | 000,000,613 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\HD Tune.lnk
[2012/05/14 23:25:55 | 000,001,632 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Update Checker.lnk
[2012/05/14 22:23:09 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2012/05/14 22:00:24 | 000,000,028 | ---- | M] () -- C:\WINDOWS\pdf995.ini
[2012/05/14 21:58:44 | 001,667,072 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll
[2012/05/14 21:58:44 | 000,036,864 | ---- | M] () -- C:\WINDOWS\System32\pdf995mon.dll
[2012/05/14 21:34:28 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/05/07 12:49:22 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/07 12:46:15 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/16 00:15:26 | 000,174,268 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\(owner-fe8c2f80e).html
[2012/05/15 23:12:57 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SpywareBlaster.lnk
[2012/05/15 23:07:18 | 000,002,457 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Ebay Problem.rtf
[2012/05/15 21:57:17 | 000,000,508 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\EBay Computer.rtf
[2012/05/15 20:51:48 | 000,495,920 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1275210071-1035525444-1606980848-1003-0.dat
[2012/05/15 20:51:47 | 000,091,974 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/05/15 20:49:21 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Revo Uninstaller.lnk
[2012/05/15 20:36:31 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/15 08:03:34 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2012/05/14 23:27:51 | 000,000,606 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook Web Access.url
[2012/05/14 23:26:03 | 000,000,613 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\HD Tune.lnk
[2012/05/14 23:25:55 | 000,001,632 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Update Checker.lnk
[2012/05/14 23:19:57 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Update Checker.lnk
[2012/05/14 22:00:24 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2012/05/14 21:58:45 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2012/05/14 21:58:44 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2012/05/14 21:41:01 | 000,001,711 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Belarc Advisor.lnk
[2012/05/14 21:40:58 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2012/05/14 21:34:28 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/05/14 21:34:28 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/02/14 23:19:50 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/31 14:18:40 | 000,000,163 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\default.rss
[2012/01/30 16:08:55 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/30 15:41:00 | 000,000,007 | -HS- | C] () -- C:\Documents and Settings\Owner\Application Data\date
[2012/01/30 15:40:59 | 000,000,002 | -HS- | C] () -- C:\Documents and Settings\Owner\Application Data\evf6
[2012/01/30 15:21:12 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2012/01/30 15:21:08 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2012/01/29 23:22:32 | 000,480,256 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\store-pp.db
[2012/01/26 18:49:37 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2012/01/26 18:46:12 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/11/25 13:30:43 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\DLEAsm.dll
[2011/11/25 13:30:43 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\DLEAsmr.dll
[2011/10/10 18:23:20 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2011/10/10 17:21:53 | 000,005,308 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/10 17:14:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2011/10/10 17:14:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2011/10/10 17:14:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2011/10/10 17:14:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2011/10/10 17:14:15 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2011/10/10 17:14:15 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2011/10/10 17:14:15 | 000,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2011/10/10 17:14:15 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2011/10/10 17:14:15 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2011/10/10 17:13:05 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/10/10 17:03:11 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/10/10 16:56:40 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/10/10 12:49:41 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/10/10 12:48:17 | 000,101,440 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2012/01/29 23:16:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2011/10/15 12:11:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2012/03/05 17:47:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ETTB
[2012/05/16 00:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2011/10/15 21:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegWork
[2012/05/15 23:13:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/05/14 14:05:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Auslogics
[2012/01/29 23:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Babylon
[2012/02/10 14:18:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HandBrake
[2012/01/31 14:46:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ImgBurn
[2012/01/30 15:58:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leawo
[2012/05/14 22:00:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\pdf995
[2012/01/30 15:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\tiger-k
[2012/03/05 19:01:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
[2012/05/14 14:57:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Search
[2012/02/08 16:48:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Xilisoft Corporation
[2012/02/03 00:00:00 | 000,000,314 | ---- | M] () -- C:\WINDOWS\Tasks\Regwork.job

========== Purity Check ==========



< End of report >

Extras Txt:

OTL Extras logfile created on: 5/16/2012 9:28:12 PM - Run 1
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.73% Memory free
3.82 Gb Paging File | 3.40 Gb Available in Paging File | 89.09% Paging File free
Paging file location(s): C:\pagefile.sys 2016 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 20.22 Gb Free Space | 54.27% Space Free | Partition Type: NTFS

Computer Name: OWNER-FE8C2F80E | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe" = C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:*:Enabled:ABBYY FineReader
"C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0E202730-41DE-479B-9AE3-63EE685766C4}" = SlimCleaner
"{1FE417E2-6B8F-44CA-A7DF-A4BD072E8ED8}_is1" = Leawo DVD Ripper version 4.3.0.0
"{1FE80E58-0774-4EC3-B6BA-68876B88D4B9}" = TurboTax 2011 wvaiper
"{2348B586-C9AE-46CE-936C-A68E9426E214}" = Nero StartSmart Help
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java™ 6 Update 32
"{33CF58F5-48D8-4575-83D6-96F574E4D83A}" = Nero DriveSpeed
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38151262-FAF8-4778-9AAB-33E90B60D8E9}" = CA Anti-Virus Plus
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress
"{5D9BE3C1-8BA4-4E7E-82FD-9F74FA6815D1}" = Nero Vision Help
"{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner
"{6eb90063-f7c5-42f8-b197-571607c158d9}" = Nero 9 Essentials
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{7829DB6F-A066-4E40-8912-CB07887C20BB}" = Nero BurnRights
"{83202942-84B3-4C50-8622-B8C0AA2D2885}" = Nero Express Help
"{869200DB-287A-4DC0-B02B-2B6787FBCD4C}" = Nero DiscSpeed
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{ACEB2BAF-96DF-48FD-ADD5-43842D4C443D}" = Adobe AIR
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C81A2FE0-3574-00A9-CED4-BDAA334CBE8E}" = Nero Online Upgrade
"{CAF5B770-082F-40C4-853D-3973BB81BDAA}" = TurboTax 2011 WinPerTaxSupport
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9DCF92E-72EB-412D-AC71-3B01276E5F8B}" = Nero ShowTime
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E463E171-4082-4744-A466-F7CBE8502789}" = TurboTax 2011 WinPerReleaseEngine
"{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{EE556A3E-EB37-4392-9637-BAA8EC2F47FA}" = TurboTax 2011 wrapper
"{F4041DCE-3FE1-4E18-8A9E-9DE65231EE36}" = Nero ControlCenter
"{F6BDD7C5-89ED-4569-9318-469AA9732572}" = Nero BurnRights Help
"{FAD3D68B-2F9C-459B-AA79-C04B9090FD72}" = TurboTax 2011 WinPerFedFormset
"{FBCDFD61-7DCF-4E71-9226-873BA0053139}" = Nero InfoTool
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"ATI Display Driver" = ATI Display Driver
"Belarc Advisor" = Belarc Advisor 8.2
"CCleaner" = CCleaner
"CleanUp!" = CleanUp!
"Defraggler" = Defraggler
"eTrust Suite Personal" = Total Defense Anti-Virus Plus
"FileHippo.com" = FileHippo.com Update Checker
"HandBrake" = HandBrake 0.9.5
"HD Tune_is1" = HD Tune 2.55
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"KLiteCodecPack_is1" = K-Lite Codec Pack 8.2.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Pdf995" = Pdf995
"PricePeep" = PricePeep for Internet Explorer
"PROSet" = Intel® PRO Network Connections Drivers
"Revo Uninstaller" = Revo Uninstaller 1.94
"SMSERIAL" = Motorola SM56 Data Fax Modem
"Speccy" = Speccy
"SpywareBlaster_is1" = SpywareBlaster 4.6
"StartNow Toolbar" = StartNow Toolbar
"TurboTax 2011" = TurboTax 2011
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Xilisoft Video Converter Ultimate" = Xilisoft Video Converter Ultimate
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Software Update" = Yahoo! Software Update
"ZillaTube" = ZillaTube 4.8

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{79A765E1-C399-405B-85AF-466F52E918B0}" = Ask Toolbar Updater

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/7/2012 12:43:15 PM | Computer Name = OWNER-FE8C2F80E | Source = UmxAgent | ID = 99
Description = Sync event client C:\Program Files\CA\CA Internet Security Suite\ccevtmgr.exe
registration timeout

Error - 5/7/2012 1:07:14 PM | Computer Name = OWNER-FE8C2F80E | Source = UmxAgent | ID = 99
Description = Sync event client C:\Program Files\CA\CA Internet Security Suite\ccevtmgr.exe
registration timeout

Error - 5/11/2012 9:35:50 AM | Computer Name = OWNER-FE8C2F80E | Source = UmxAgent | ID = 110
Description = Ask User application closed itself. Product: 1, Sess: 0

Error - 5/11/2012 9:35:50 AM | Computer Name = OWNER-FE8C2F80E | Source = UmxAgent | ID = 99
Description = Sync event client C:\Program Files\CA\CA Internet Security Suite\ccevtmgr.exe
registration timeout

Error - 5/14/2012 1:06:34 PM | Computer Name = OWNER-FE8C2F80E | Source = UmxAgent | ID = 99
Description = Sync event client C:\Program Files\CA\CA Internet Security Suite\ccevtmgr.exe
registration timeout

Error - 5/14/2012 1:51:33 PM | Computer Name = OWNER-FE8C2F80E | Source = UmxAgent | ID = 99
Description = Sync event client C:\Program Files\CA\CA Internet Security Suite\ccevtmgr.exe
registration timeout

Error - 5/14/2012 2:00:39 PM | Computer Name = OWNER-FE8C2F80E | Source = UmxAgent | ID = 99
Description = Sync event client C:\Program Files\CA\CA Internet Security Suite\ccevtmgr.exe
registration timeout

Error - 5/14/2012 8:41:55 PM | Computer Name = OWNER-FE8C2F80E | Source = UmxAgent | ID = 99
Description = Sync event client C:\Program Files\CA\CA Internet Security Suite\ccevtmgr.exe
registration timeout

Error - 5/15/2012 8:43:12 PM | Computer Name = OWNER-FE8C2F80E | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.60.0.80, faulting module
ntdll.dll, version 5.1.2600.6055, fault address 0x00011295.

Error - 5/15/2012 8:43:22 PM | Computer Name = OWNER-FE8C2F80E | Source = Application Error | ID = 1001
Description = Fault bucket -1372980170.

[ System Events ]
Error - 5/14/2012 1:50:24 PM | Computer Name = OWNER-FE8C2F80E | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053

Error - 5/14/2012 1:59:34 PM | Computer Name = OWNER-FE8C2F80E | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows Search service
to connect.

Error - 5/14/2012 1:59:34 PM | Computer Name = OWNER-FE8C2F80E | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053

Error - 5/14/2012 8:40:48 PM | Computer Name = OWNER-FE8C2F80E | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows Search service
to connect.

Error - 5/14/2012 8:40:48 PM | Computer Name = OWNER-FE8C2F80E | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%1053

Error - 5/14/2012 10:46:30 PM | Computer Name = OWNER-FE8C2F80E | Source = Print | ID = 6161
Description = The document Pdf995 Read Me.pdf owned by Owner failed to print on
printer Dell V310 Series (Network). Data type: RAW. Size of the spool file in bytes:
3344946. Number of bytes printed: 0. Total number of pages in the document: 3.
Number of pages printed: 1. Client machine: \\OWNER-FE8C2F80E. Win32 error code
returned by the print processor: 0 (0x0).

Error - 5/14/2012 11:17:21 PM | Computer Name = OWNER-FE8C2F80E | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service YahooAUService
with arguments "" in order to run the server: {90AFF435-B544-4F94-A0C2-CC020EACA4E3}

Error - 5/15/2012 7:58:00 AM | Computer Name = OWNER-FE8C2F80E | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error - 5/15/2012 8:43:37 AM | Computer Name = OWNER-FE8C2F80E | Source = Service Control Manager | ID = 7034
Description = The Intuit Update Service v4 service terminated unexpectedly. It
has done this 1 time(s).

Error - 5/15/2012 9:14:40 AM | Computer Name = OWNER-FE8C2F80E | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >

Edited by joseph456, 16 May 2012 - 09:37 PM.

  • 0

Advertisements

#2
Dakeyras
Posted 17 May 2012 - 09:20 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome back to Geeks to Go. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

I have read through your other topic over in the Windows XP™, 2000, 2003, NT part of the forum. Personally I do agree with the prior advice a complete reformat and reinstallation of the Windows Operating System would be the most prudent course of action. As the machine could have been used for absolutely anything and or a ineffectual Malware Removal process carried out in the past for example. Either way my friendly advice would be never use this particular machine for say any form of online banking in the future unless you decide to wipe the hard-drive first etc.

OK the presently installed CA security related does appear to be possibly out of date and not that effective overall in my humble opinion. So I propose we uninstall all elements and will replace that in due course. Until a new Anti-Virus application is installed it would be prudent to limit online activity with the machine as a precaution.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double-click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Next:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

CA Anti-Virus Plus
Mozilla Maintenance Service
PricePeep
Total Defense Anti-Virus Plus
SpywareBlaster 4.6
StartNow Toolbar

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Next:

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file and post it in your next reply.
Scan with aswMBR:

Please download aswMBR.exe to your desktop.

  • Double-click the aswMBR.exe to run it
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start scan
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Next:

Let myself know when completed the above, post the requested logs. Along with a new OTL log and we will go from there, thank you.
  • 0

#3
joseph456
Posted 17 May 2012 - 09:58 AM

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts
Dakeyras -

Thanks for your response. I can attend to this later this evening.

Question - Should I use Revo Uninstaller to uninstall the programs you mentioned so it can remove any additional leftovers? If so, at what level - Built-in, Safe, Moderate, Advanced?

Also was not sure about concern relating to "Mozilla Maintenance." It installed with the latest Firefox update to 12. Is it a problem (since it is now on all my computers?)

Edited by joseph456, 17 May 2012 - 10:04 AM.

  • 0

#4
Dakeyras
Posted 17 May 2012 - 10:43 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts

Thanks for your response. I can attend to this later this evening.

OK and you're welcome! :)

Question - Should I use Revo Uninstaller to uninstall the programs you mentioned so it can remove any additional leftovers? If so, at what level - Built-in, Safe, Moderate, Advanced?

Just use the inbuilt uninstallers for now and if say a problem removing any of the CA related we will merely deploy the actual uninstall tool for that etc.

Also was not sure about concern relating to "Mozilla Maintenance." It installed with the latest Firefox update to 12. Is it a problem (since it is now on all my computers?)

It is not malicious per say and a recent feature with the latest FireFox upgrade and basically automatically checks for updates and actually is more of a feature for say Vista and Windows 7 as it bypass's the Windows User Account Control with those Operating Systems...but still works with XP systems.

Anyway I am of the mind it is not good for any browser to have such a feature from a security point of view and best to manually check for any updates and or check at the vendors site. Or you could use the below link occasionally to check the status of software installed:-

Secunia Online Software Inspector

End of the day your choice to leave it installed or not but personally it is not something I wish to have on any of my machines all told.
  • 0

#5
joseph456
Posted 17 May 2012 - 07:26 PM

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts
Dakeyras -

As Instructed:

ERUNT Downloaded
Registry Backed Up using ERUNT
Removed:

Mozilla Maintenance Service
PricePeep
Total Defense Anti-Virus Plus
SpywareBlaster 4.6 - Curious - what is the problem with this file I thought it was preventive
StartNow Toolbar

This file was not on the Add/Remove List:

CA Anti-Virus Plus

MGA Diag

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-YQHRF-94FXW-9GWWY
Windows Product Key Hash: ox+sqVHPe4SBbhpjtlaeB5kbjI0=
Windows Product ID: 76487-OEM-2254591-93840
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {06CB8D05-DCCA-4E02-959E-79A7C2D56E90}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{06CB8D05-DCCA-4E02-959E-79A7C2D56E90}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-9GWWY</PKey><PID>76487-OEM-2254591-93840</PID><PIDType>3</PIDType><SID>S-1-5-21-1275210071-1035525444-1606980848</SID><SYSTEM><Manufacturer>Gateway </Manufacturer><Model>Gateway M675PRR </Model></SYSTEM><BIOS><Manufacturer>Gateway</Manufacturer><Version>51.04.01</Version><SMBIOSVersion major="2" minor="31"/><Date>20041210000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>ABD63707018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1E840:Gateway, Inc
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A

aswMBR.exe

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-17 21:03:04
-----------------------------
21:03:04.218 OS Version: Windows 5.1.2600 Service Pack 3
21:03:04.218 Number of processors: 2 586 0x209
21:03:04.218 ComputerName: OWNER-FE8C2F80E UserName: Owner
21:03:04.843 Initialize success
21:03:19.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:03:19.453 Disk 0 Vendor: IC25N040ATMR04-0 MO2OAD4A Size: 38154MB BusType: 3
21:03:19.468 Disk 0 MBR read successfully
21:03:19.468 Disk 0 MBR scan
21:03:19.468 Disk 0 Windows XP default MBR code
21:03:19.484 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
21:03:19.484 Disk 0 scanning sectors +78124095
21:03:19.578 Disk 0 scanning C:\WINDOWS\system32\drivers
21:03:25.625 Service scanning
21:03:42.062 Modules scanning
21:03:49.828 Disk 0 trace - called modules:
21:03:49.843 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
21:03:49.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b6fab8]
21:03:49.859 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000072[0x89bc2338]
21:03:49.859 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89b54d98]
21:03:49.859 Scan finished successfully
21:04:00.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
21:04:00.984 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

OTL log

OTL logfile created on: 5/17/2012 9:08:51 PM - Run 3
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.63 Gb Available Physical Memory | 81.49% Memory free
3.82 Gb Paging File | 3.56 Gb Available in Paging File | 93.22% Paging File free
Paging file location(s): C:\pagefile.sys 2016 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 20.78 Gb Free Space | 55.77% Space Free | Partition Type: NTFS

Computer Name: OWNER-FE8C2F80E | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/16 21:26:27 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/15 07:43:43 | 000,221,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.ServiceProce#\35da2da22db8fde344d9e17b20a91816\System.ServiceProcess.ni.dll
MOD - [2012/05/15 07:43:22 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\94b346f2ab12d38efb1331ded5783396\System.Runtime.Remoting.ni.dll
MOD - [2012/05/15 07:43:19 | 000,787,456 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\bb40644f323a93fa9bc09be350918ef3\System.EnterpriseServices.ni.dll
MOD - [2012/05/15 07:43:18 | 000,649,728 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Transactions\67a386434938003bceb0752e979dabb3\System.Transactions.ni.dll
MOD - [2012/05/15 00:19:54 | 006,815,232 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Data\99d0f7ba920eea1117e45dcd9fec0eb5\System.Data.ni.dll
MOD - [2012/05/15 00:19:28 | 005,617,664 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\d1f299160424bad90fe9f658661389e2\System.Xml.ni.dll
MOD - [2012/05/15 00:19:17 | 013,197,312 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\9ee9841d9e33fe5dceba4cd7d90f2ae0\System.Windows.Forms.ni.dll
MOD - [2012/05/15 00:19:17 | 000,982,528 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuration\623d2a0f11dd82bb9bc13d1cb981b239\System.Configuration.ni.dll
MOD - [2012/05/15 00:19:09 | 007,069,184 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Core\ed91b57205429a23bb91f4499059a459\System.Core.ni.dll
MOD - [2012/05/15 00:18:50 | 001,665,536 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\03b5233f1511f5fdb39eb681b04e5506\System.Drawing.ni.dll
MOD - [2012/05/15 00:18:46 | 009,091,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\6f9f0467e8b2dd3f69b015c8e30ac945\System.ni.dll
MOD - [2012/05/15 00:18:30 | 014,412,800 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\3953b1d8b9b57e4957bff8f58145384e\mscorlib.ni.dll
MOD - [2012/05/14 21:58:44 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\pdf995mon.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2010/05/18 16:13:58 | 000,935,208 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
DRV - [2011/08/09 17:33:58 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2005/11/10 03:47:00 | 000,922,148 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/08/09 22:35:42 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/10/14 16:05:28 | 000,252,144 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2003/07/17 17:40:06 | 000,265,728 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {FCE686FB-8DF7-4E4A-8CD8-84EB0245EAAC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{FCE686FB-8DF7-4E4A-8CD8-84EB0245EAAC}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=1
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/?ilc=14
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...00000904bcce900
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{380F19BF-BC9C-7AE2-58D1-54D845E090F3}: "URL" = http://www.bing.com/...eferrer:source}
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{B291BCC3-9CE2-4804-BF5E-506DB4F7F50A}: "URL" = http://search.yahoo....erms}&fr=mkg114
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....erms}&fr=chr-ca
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{EBDBB365-2609-4078-A7C3-D98283187A56}: "URL" = http://websearch.ask...AE-F2A8BBA58ABA
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{FCE686FB-8DF7-4E4A-8CD8-84EB0245EAAC}: "URL" = http://www.google.co...1I7ADRA_enUS456
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co...Domain=usa.net"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/14 21:34:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/05/14 21:34:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2012/05/16 21:28:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\de1io1lr.default\extensions
[2012/05/16 00:56:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/16 00:56:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012/05/15 20:15:56 | 000,049,419 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DE1IO1LR.DEFAULT\EXTENSIONS\{9125C9CB-BE2B-4389-A0C7-46A4BDD46AEA}.XPI
[2012/04/20 21:19:34 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/20 21:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/20 21:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/05/07 12:49:22 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O15 - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1318284984953 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1330987614109 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {9C65AB3E-C9A8-4789-AE24-B365A1C4A6F9} http://gateway-us.cu...tivex/snret.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_32)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D25C92C6-0F60-4225-8714-F39218DF1473}: DhcpNameServer = 192.168.1.1 71.252.0.12
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/10/10 17:00:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/17 21:01:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/05/17 20:42:02 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/05/17 20:42:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/05/17 00:46:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2012/05/16 21:26:23 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/05/16 00:56:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/05/16 00:15:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\(owner-fe8c2f80e)_files
[2012/05/15 23:13:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/05/15 23:12:56 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2012/05/15 23:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\etc
[2012/05/15 20:49:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Revo Uninstaller
[2012/05/15 20:36:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2012/05/15 20:36:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/15 20:36:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/05/15 20:36:30 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/05/15 20:36:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/05/15 08:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\TurboTax
[2012/05/15 08:21:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Intuit
[2012/05/15 08:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\IsolatedStorage
[2012/05/15 08:06:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Intuit
[2012/05/15 08:03:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TurboTax 2011
[2012/05/15 08:01:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intuit
[2012/05/15 08:01:02 | 000,000,000 | ---D | C] -- C:\Program Files\TurboTax
[2012/05/15 08:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2012/05/14 23:33:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\CleanUp!
[2012/05/14 23:33:53 | 000,000,000 | ---D | C] -- C:\Program Files\CleanUp!
[2012/05/14 23:19:57 | 000,000,000 | ---D | C] -- C:\Program Files\FileHippo.com
[2012/05/14 22:00:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\pdf995
[2012/05/14 22:00:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\pdf995
[2012/05/14 21:58:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2012/05/14 21:58:44 | 001,667,072 | ---- | C] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll
[2012/05/14 21:58:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Software995
[2012/05/14 21:58:42 | 000,000,000 | ---D | C] -- C:\Program Files\pdf995
[2012/05/14 21:40:58 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc
[2012/05/14 21:36:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2012/05/14 21:34:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla
[2012/05/14 21:34:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2012/05/14 21:34:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/05/14 21:34:21 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/05/14 21:31:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/05/14 20:44:57 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2012/05/14 15:08:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\SlimWare Utilities Inc
[2012/05/14 15:08:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SlimCleaner
[2012/05/14 15:08:17 | 000,000,000 | ---D | C] -- C:\Program Files\SlimCleaner
[2012/05/14 15:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Downloaded Installers
[2012/05/14 14:57:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Windows Search
[2012/05/14 14:05:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Auslogics
[2012/05/14 14:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
[2012/05/14 14:05:48 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2012/05/14 13:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Defraggler
[2012/05/14 13:33:05 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2012/05/14 13:28:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Speccy
[2012/05/14 13:28:40 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2012/05/14 13:24:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2012/05/14 13:24:28 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/05/14 13:15:05 | 000,000,000 | ---D | C] -- C:\Program Files\HD Tune
[2012/05/14 13:15:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HD Tune
[2012/05/14 13:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\My Downloads
[2012/05/07 12:49:04 | 000,000,000 | ---D | C] -- C:\cabs
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/17 21:04:00 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2012/05/17 21:01:11 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/17 20:57:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/17 20:56:31 | 000,057,388 | ---- | M] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc
[2012/05/17 20:42:02 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2012/05/17 20:42:02 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2012/05/17 00:49:26 | 000,000,314 | ---- | M] () -- C:\WINDOWS\tasks\Regwork.job
[2012/05/16 21:26:27 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/05/16 00:26:05 | 000,000,163 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\default.rss
[2012/05/16 00:26:01 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/05/16 00:16:01 | 000,000,059 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2012/05/16 00:15:26 | 000,174,268 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\(owner-fe8c2f80e).html
[2012/05/15 23:07:18 | 000,002,457 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Ebay Problem.rtf
[2012/05/15 21:57:18 | 000,000,508 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\EBay Computer.rtf
[2012/05/15 20:53:04 | 000,101,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/15 08:22:27 | 000,000,590 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2012/05/15 00:16:43 | 000,523,992 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/15 00:16:43 | 000,095,868 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/14 23:27:51 | 000,000,606 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook Web Access.url
[2012/05/14 23:26:03 | 000,000,613 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\HD Tune.lnk
[2012/05/14 23:25:55 | 000,001,632 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Update Checker.lnk
[2012/05/14 22:23:09 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2012/05/14 22:00:24 | 000,000,028 | ---- | M] () -- C:\WINDOWS\pdf995.ini
[2012/05/14 21:58:44 | 001,667,072 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\System32\pdfmona.dll
[2012/05/14 21:58:44 | 000,036,864 | ---- | M] () -- C:\WINDOWS\System32\pdf995mon.dll
[2012/05/14 21:34:28 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/05/07 12:49:22 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/07 12:46:15 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/17 21:04:00 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2012/05/17 20:42:02 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2012/05/17 20:42:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2012/05/16 00:15:26 | 000,174,268 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\(owner-fe8c2f80e).html
[2012/05/15 23:07:18 | 000,002,457 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Ebay Problem.rtf
[2012/05/15 21:57:17 | 000,000,508 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\EBay Computer.rtf
[2012/05/15 20:51:48 | 000,495,920 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1275210071-1035525444-1606980848-1003-0.dat
[2012/05/15 20:51:47 | 000,091,974 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/05/15 08:03:34 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2012/05/14 23:27:51 | 000,000,606 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook Web Access.url
[2012/05/14 23:26:03 | 000,000,613 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\HD Tune.lnk
[2012/05/14 23:25:55 | 000,001,632 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Update Checker.lnk
[2012/05/14 23:19:57 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Update Checker.lnk
[2012/05/14 22:00:24 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2012/05/14 21:58:45 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2012/05/14 21:58:44 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2012/05/14 21:41:01 | 000,001,711 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Belarc Advisor.lnk
[2012/05/14 21:40:58 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2012/05/14 21:34:28 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/05/14 21:34:28 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/02/14 23:19:50 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/31 14:18:40 | 000,000,163 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\default.rss
[2012/01/30 16:08:55 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/30 15:41:00 | 000,000,007 | -HS- | C] () -- C:\Documents and Settings\Owner\Application Data\date
[2012/01/30 15:40:59 | 000,000,002 | -HS- | C] () -- C:\Documents and Settings\Owner\Application Data\evf6
[2012/01/30 15:21:12 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2012/01/30 15:21:08 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2012/01/26 18:49:37 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2012/01/26 18:46:12 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/11/25 13:30:43 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\DLEAsm.dll
[2011/11/25 13:30:43 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\DLEAsmr.dll
[2011/10/10 18:23:20 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2011/10/10 17:21:53 | 000,005,308 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/10 17:14:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2011/10/10 17:14:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2011/10/10 17:14:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2011/10/10 17:14:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2011/10/10 17:14:15 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2011/10/10 17:14:15 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2011/10/10 17:14:15 | 000,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2011/10/10 17:14:15 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2011/10/10 17:14:15 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2011/10/10 17:13:05 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/10/10 17:03:11 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/10/10 16:56:40 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/10/10 12:49:41 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/10/10 12:48:17 | 000,101,440 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2012/01/29 23:16:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2012/05/17 20:58:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2012/03/05 17:47:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ETTB
[2012/05/16 00:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2011/10/15 21:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegWork
[2012/05/17 00:51:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/05/14 14:05:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Auslogics
[2012/01/29 23:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Babylon
[2012/02/10 14:18:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HandBrake
[2012/01/31 14:46:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ImgBurn
[2012/01/30 15:58:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leawo
[2012/05/14 22:00:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\pdf995
[2012/01/30 15:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\tiger-k
[2012/03/05 19:01:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
[2012/05/14 14:57:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Search
[2012/02/08 16:48:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Xilisoft Corporation
[2012/05/17 00:49:26 | 000,000,314 | ---- | M] () -- C:\WINDOWS\Tasks\Regwork.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

Thanks again for your help. I'm ok with removing any of these programs you suggest. I only added the diagnostic programs. Not sure about the others like Handbrake, WinRAR, LEAWO, Babylon, Xilisoft etc. Also two very large 1 and 4 GB ISO files are on the hard disk. Not sure what they are for.
  • 0

#6
Dakeyras
Posted 18 May 2012 - 05:22 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Thanks again for your help. I'm ok with removing any of these programs you suggest. I only added the diagnostic programs.

You're welcome and fair play what you mentioned.

Not sure about the others like Handbrake, WinRAR, LEAWO, Babylon, Xilisoft etc.

Apart from WinRAR which is a rar/zip file type utility and Babylon a translation application(just as easy to say use Google Translate online for example) the others are all some type of Video Converters. So if you did not install any of the aforementioned and or intend to use them in the future, by all means uninstall them if you so wish.

Also two very large 1 and 4 GB ISO files are on the hard disk. Not sure what they are for

A ISO file can be either something that has been created as a copy of say a CD/DVD etc and or something saved/created then in turn saved to that type of particular file format...which in turn can be used to create a more permanent copy to say a form of CD/R or DVD/R/RW for example.

Quite possible they had been created by the former owner with one of the Video Converters installed. By all means delete them if you so wish...

SpywareBlaster 4.6 - Curious - what is the problem with this file I thought it was preventive

Spyware Blaster essentially works by adding a large number of sites to the Restricted Sites in Internet Explorer , so that when you land on one of the listed sites you have reduced browser functionality.

Internet Explorer was never really designed to have that number of sites thus listed, and it can affect the performance of Internet Explorer quite noticeably on some machines. You can get a similar type of protection using a custom Hosts file, which blocks access to bad sites rather than limit functionality, and does not cause the same kind of performance hits to Internet Explorer. Plus overall it is far from truly effective these days in my humble opinion and or advised the download for anyone I assist in a Anti-Malware capacity either for a good number of years now.


This file was not on the Add/Remove List:

CA Anti-Virus Plus

Not a problem.

Next:

From the OTL extras log you posted in the first post in this topic, this caught my attention:-

Error - 5/15/2012 9:14:40 AM | Computer Name = OWNER-FE8C2F80E | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

This most likely denotes the actual Hard-Drive is in need of some in-depth maintenance rather than a actual hardware issue. Anyway we can address this in due course once the below is completed.

Custom OTL Script:

  • Double-click OTL.exe to start the program.
  • Copy the lines from the quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...00000904bcce900
IE - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\SearchScopes\{EBDBB365-2609-4078-A7C3-D98283187A56}: "URL" = http://websearch.ask...AE-F2A8BBA58ABA
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O15 - HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {9C65AB3E-C9A8-4789-AE24-B365A1C4A6F9} http://gateway-us.cu...tivex/snret.cab (Reg Error: Key error.)
[2012/05/15 23:12:56 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[2012/05/17 20:56:31 | 000,057,388 | ---- | M] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc
[2012/05/17 00:49:26 | 000,000,314 | ---- | M] () -- C:\WINDOWS\tasks\Regwork.job
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

:Files
ipconfig /flushdns /c
C:\Program Files\CA

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CA Anti-Virus Plus]

:Commands
[ResetHosts]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]

  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download/Install a AV:

Download just one only of the two free anti-virus programs listed below please(either will suffice) and then:

Install >> Update >> Carry Out a Complete Scan. Have it fix/remove anything it finds.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • OTL Log from the Custom Script.
  • Malwarebytes Anti-Malware Log.
  • Let myself know if anything was removed by the AV you chose to install etc.

  • 0

#7
joseph456
Posted 18 May 2012 - 07:32 AM

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts
Following through on your recommendations.

Question:

Which of two Anti Virus programs (Scale of 1 - 10) do you prefer. I currently have AVG Free and have no experience with the other two. Wanted to switch for some time now.

Comment: Bad Block was picked up by HD Tune. Sometimes cleared with Windows 5 step repair but did not try that yet pending this outcome.

Thanks - this is all very helpful.

From OTL:

All processes killed
========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry key HKEY_USERS\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Internet Explorer\SearchScopes\{EBDBB365-2609-4078-A7C3-D98283187A56}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBDBB365-2609-4078-A7C3-D98283187A56}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1275210071-1035525444-1606980848-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
Starting removal of ActiveX control {9C65AB3E-C9A8-4789-AE24-B365A1C4A6F9}
C:\WINDOWS\Downloaded Program Files\snret.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9C65AB3E-C9A8-4789-AE24-B365A1C4A6F9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C65AB3E-C9A8-4789-AE24-B365A1C4A6F9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9C65AB3E-C9A8-4789-AE24-B365A1C4A6F9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C65AB3E-C9A8-4789-AE24-B365A1C4A6F9}\ not found.
C:\Program Files\SpywareBlaster folder moved successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET4B.tmp deleted successfully.
C:\WINDOWS\System32\SET4F.tmp deleted successfully.
C:\WINDOWS\System32\SET57.tmp deleted successfully.
C:\WINDOWS\System32\SETD7.tmp deleted successfully.
C:\WINDOWS\System32\SETD9.tmp deleted successfully.
C:\WINDOWS\System32\SETE7.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\Documents and Settings\All Users\SPL14.tmp deleted successfully.
C:\Documents and Settings\All Users\SPL1B.tmp deleted successfully.
C:\Documents and Settings\All Users\SPL1E.tmp deleted successfully.
C:\WINDOWS\system32\drivers\KmxAgent.asc moved successfully.
C:\WINDOWS\tasks\Regwork.job moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
File\Folder C:\Program Files\CA not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CA Anti-Virus Plus\ not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56475 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 3401035 bytes
->Temporary Internet Files folder emptied: 2942263 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 60635559 bytes
->Flash cache emptied: 470 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 126051501 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 184.00 mb

Unable to start System Restore Service. Error code 1056

OTL by OldTimer - Version 3.2.43.0 log created on 05182012_093445

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

From MB:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.18.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: OWNER-FE8C2F80E [limited]

5/18/2012 9:42:32 AM
mbam-log-2012-05-18 (09-42-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179352
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCR\CrossriderApp0000498.BHO (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000498.BHO.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 105a3fa633265283fd66dbea9e01ee1c -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Should I go ahead and defrag/optimize using Auslogics Disk Defragmenter before downloading/installing AV 5% defragmented

Edited by joseph456, 18 May 2012 - 07:56 AM.

  • 0

#8
Dakeyras
Posted 18 May 2012 - 08:15 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Which of two Anti Virus programs (Scale of 1 - 10) do you prefer. I currently have AVG Free and have no experience with the other two. Wanted to switch for some time now.

My personal preferance would be Microsoft Security Essentials and that is what I use...However Avast is a fine application also and have used that in the past. Anyway as mentioned prior either of the aforementioned will suffice. ;)

Comment: Bad Block was picked up by HD Tune. Sometimes cleared with Windows 5 step repair but did not try that yet pending this outcome.

We can check this out shortly(see below) and in the advent it is say something other than in-depth maintenance required...your best option would be to seek further advice/assistance in your other topic from the IT Techs.

Should I go ahead and defrag/optimize using Auslogics Disk Defragmenter before downloading/installing AV 5% defragmented

No need at this time, just go ahead and install one etc...

Check Hard Disk For Errors:

Click on Start >> Run..., then copy/paste the following command into the box and press OK:

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"

A blank command window will open on your desktop, then close in a few minutes. This is normal.

A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

Next:

Please check System Restore is active via:-

Right-click on My Computer >> Properties >> System Restore >> if not enabled, do so.
  • 0

#9
joseph456
Posted 18 May 2012 - 09:12 AM

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts
Computer seems to be running well. Possible quicker response on internet access.

MSE updated and ran a quick scan and found nothing. Noticed you said complete scan so I am now running a complete scan.

System Restore has been working with last entry 5.18.12 @ 10:42. All together there are 22 entries for SR going back to 3/18

Results of Check HD:

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

39062015 KB total disk space.
16998256 KB in 34449 files.
12336 KB in 4119 indexes.
0 KB in bad sectors.
182355 KB in use by the system.
65536 KB occupied by the log file.
21869068 KB available on disk.

4096 bytes in each allocation unit.
9765503 total allocation units on disk.
5467267 allocation units available on disk.

Have not deleted ISO files since not sure what is in them. Do not need them if they are video files. Any chance they could be a disk image that I may want to use?

Cause for concern? Noticed a file in Task Manager ctfmon.exe which I have never seen before. This computer does not have any office programs running. Is this any kind of malware, virus?

MSE ran full scan and did not find anything as far as I could tell. Left the computer while scan was running and came back to this:

Attached Thumbnails

  • MSE 05.18.12.JPG

Edited by joseph456, 18 May 2012 - 11:43 AM.

  • 0

#10
Dakeyras
Posted 18 May 2012 - 02:26 PM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Computer seems to be running well. Possible quicker response on internet access.

Good.

System Restore has been working with last entry 5.18.12 @ 10:42. All together there are 22 entries for SR going back to 3/18

Fair play, only reason asked as a precaution was because OTL reported the following:-

Unable to start System Restore Service. Error code 1056

Though I am surmising System Restore was possibly actually creating a point, time of the OTL custom fix according to the actual System Error Code.

Have not deleted ISO files since not sure what is in them. Do not need them if they are video files. Any chance they could be a disk image that I may want to use?

I doubt it at such a relatively small size they are. Though ironically to view the contents you would need something along the lines of WinRa to do so.

If you so wish, send both to a zip-file and attach them if able in your next reply and I will gladly check them out for you.

Cause for concern? Noticed a file in Task Manager ctfmon.exe which I have never seen before. This computer does not have any office programs running. Is this any kind of malware, virus?

Any file can become patched by malware but in this instance I do not think it is the case, may be something related to the Language Bar for example. The below explains more, along with solutions for removing etc...

Frequently asked questions about Ctfmon.exe

What is CTFMON.EXE and How Can I Remove It

MSE ran full scan and did not find anything as far as I could tell. Left the computer while scan was running and came back to this

A good outcome then. To double check if anything was removed merely launch the application and click on the History tab >> select the All detected items option.

Hard-Drive Maintenance/Repair:

Note: for the CHKDSK portion you may refer to this tutorial of mine here and follow the instructions for Graphical Mode if you so wish.

  • Click Start >> Run... then type in CMD and click on OK.
  • At the Command Prompt C:\ > type the following:
  • CD C:\ and hit the Enter/Return key.
  • Now type in DEFRAG C: -F
  • A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
  • This may take some time, when completed the Command Prompt C:\ > will appear.
  • Now type in CHKDSK C: /R and hit the Enter/Return key.
  • When prompted with:

CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)

  • Hit the Y key then at the Command Prompt C:\ >
  • Type in EXIT and and hit the Enter/Return key.
  • Now Reboot(Restart) your computer.
Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

You should see a screen like this just after the Post(power on self test) screen:

Posted Image

Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be cancelled and you computer will continue to boot-up as normal.

Scan with FSS:

Please download Farbar Service Scanner and save to your Desktop.

  • Double-click on FSS.exe to launch it.
  • Select the following options only:

    Internet Services
    Windows Firewall
    System Restore
    Windows Update
  • Click on Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your next reply.

  • 0

Advertisements

#11
joseph456
Posted 18 May 2012 - 07:36 PM

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts

Though I am surmising System Restore was possibly actually creating a point, time of the OTL custom fix according to the actual System Error Code.


System Restore List Below - Does this look ok? Does not look like OTL was able to create restore point?

System Restore 05.18.12.JPG

I doubt it at such a relatively small size they are. Though ironically to view the contents you would need something along the lines of WinRa to do so.


Downloaded VLC Media Player, confirmed they were videos and deleted

Any file can become patched by malware but in this instance I do not think it is the case, may be something related to the Language Bar for example. The below explains more, along with solutions for removing etc...


That is what it was. Made changes in Language Bar and file disappeared

Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.


Did not notice any repairs. Here is the txt from Event Viewer:

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 5/18/2012
Time: 9:04:49 PM
User: N/A
Computer: OWNER-FE8C2F80E
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 1883 unused index entries from index $SII of file 0x9.
Cleaning up 1883 unused index entries from index $SDH of file 0x9.
Cleaning up 1883 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Windows has made corrections to the file system.

39062015 KB total disk space.
11674640 KB in 35571 files.
12748 KB in 4538 indexes.
0 KB in bad sectors.
181331 KB in use by the system.
65536 KB occupied by the log file.
27193296 KB available on disk.

4096 bytes in each allocation unit.
9765503 total allocation units on disk.
6798324 allocation units available on disk.

Internal Info:
10 33 01 00 b9 9c 00 00 d9 d7 00 00 00 00 00 00 .3..............
c4 00 00 00 06 00 00 00 2f 09 00 00 00 00 00 00 ......../.......
9e a2 92 04 00 00 00 00 8a c2 e3 24 00 00 00 00 ...........$....
2c 03 14 17 00 00 00 00 b8 6b 30 13 02 00 00 00 ,........k0.....
c8 f9 a9 31 03 00 00 00 ae 2e 89 8f 05 00 00 00 ...1............
90 fe 5e b2 00 00 00 00 90 38 07 00 f3 8a 00 00 ..^......8......
00 00 00 00 00 40 90 c8 02 00 00 00 ba 11 00 00 .....@..........

Windows has finished checking your disk.
Please wait while your computer restarts.

FSS txt

Farbar Service Scanner Version: 17-05-2012
Ran by Owner (administrator) on 18-05-2012 at 21:22:22
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

For more information, see Help and Support Center at http://go.microsoft....ink/events.asp.

Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).


Should I still keep MBR - See attached file (says it is a video file?)

MBR 05.17.12.JPG

It also looks like the bad block disappeared! And the temperature the system runs at is lower! :thumbsup:

See HD Tune - before we started one of these blocks was red indicating a bad block

HD Tune 05.18.12.JPG
I appreciate the help! :spoton:

Edited by joseph456, 18 May 2012 - 08:51 PM.

  • 0

#12
Dakeyras
Posted 19 May 2012 - 05:34 PM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

System Restore List Below - Does this look ok? Does not look like OTL was able to create restore point?

All good and the FSS log confirms no issues with SR and the reason it occurred is probably due to what I mentioned prior.

Did not notice any repairs

Actually this denotes such:-
Cleaning up minor inconsistencies on the drive.
Cleaning up 1883 unused index entries from index $SII of file 0x9.
Cleaning up 1883 unused index entries from index $SDH of file 0x9.
Cleaning up 1883 unused security descriptors.
Windows has made corrections to the file system.

Plus the new scan with HDTune confirms such also.

Should I still keep MBR - See attached file (says it is a video file?)

Do leave any tools and or files created so far as we will remove all in due course once the malware removal process is complete.

As for why the dat extension for the mbr backup has changed, quite possible it was done by the downloaded VLC Media Player you mentioned by mistake? Anyway not a problem for now.

Next:

I would like a final check of your system with a different scanning application so I can ascertain if anything else needs to be advised on my behalf etc as follows...

Scan with DDS:

Please download DDS and save it to your Desktop from here.

Alternate downloads are here or here.

  • Disable any script blocker, and then double click on DDS to run the tool.
  • When done, DDS will open two logs:
  • DDS.txt <-- Will be opened
  • Attach.txt <-- Will be minimized
  • Save both reports to your desktop.
  • Please post the contents of these two Notepad files in your next reply.
When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any further symptoms and or problems encountered?
  • Both DDS logs. <-- Post them individually please, IE: one Log per post/reply.

  • 0

#13
joseph456
Posted 19 May 2012 - 06:38 PM

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts
Thanks for working the weekend. :wave:

Computer seems to be working well. Cannot detect any problems. Also glad I switched to MSE

As you can see below, not sure how many restore points I should be keeping.
Also - stopped the indexing maybe that's way Windows Search is not working. Typically stop Intuit Update and jgs and juschedule from running so as to have minimum processes running.

Hope I understood the instructions correctly. Here are the two texts you requested:

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32
Run by Owner at 20:30:33 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1418 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HD Tune\HDTune.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1318284984953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1330987614109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{D25C92C6-0F60-4225-8714-F39218DF1473} : DhcpNameServer = 192.168.1.1 71.252.0.12
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\de1io1lr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk|https://www.netaddress.com/tpl/Door/Login?Domain=usa.net
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-6 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-6 136176]
.
=============== Created Last 30 ================
.
2012-05-19 03:33:48 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{adc7ad12-ce44-4a3b-a780-4ab15737dd26}\mpengine.dll
2012-05-19 03:03:39 -------- d-----w- c:\program files\Auslogics
2012-05-18 23:25:05 -------- d-----w- c:\program files\VideoLAN
2012-05-18 14:42:46 6737808 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-18 14:42:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-18 14:30:11 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-18 13:34:45 -------- d-----w- C:\_OTL
2012-05-16 04:55:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-16 04:55:59 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-16 03:12:57 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-05-16 00:36:36 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-05-16 00:36:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-16 00:36:30 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-16 00:36:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-15 12:21:55 -------- d-----w- c:\documents and settings\owner\local settings\application data\Intuit
2012-05-15 12:21:49 -------- d-----w- c:\documents and settings\owner\local settings\application data\IsolatedStorage
2012-05-15 12:06:24 -------- d-----w- c:\documents and settings\owner\application data\Intuit
2012-05-15 12:01:30 -------- d-----w- c:\program files\common files\Intuit
2012-05-15 12:01:02 -------- d-----w- c:\program files\TurboTax
2012-05-15 12:00:30 -------- d-----w- c:\documents and settings\all users\application data\Intuit
2012-05-15 03:33:53 -------- d-----w- c:\program files\CleanUp!
2012-05-15 03:19:57 -------- d-----w- c:\program files\FileHippo.com
2012-05-15 02:00:22 -------- d-----w- c:\documents and settings\owner\local settings\application data\pdf995
2012-05-15 01:58:45 59 ----a-w- c:\windows\wpd99.drv
2012-05-15 01:58:45 -------- d-----w- c:\documents and settings\all users\application data\pdf995
2012-05-15 01:58:44 36864 ----a-w- c:\windows\system32\pdf995mon.dll
2012-05-15 01:58:44 1667072 ----a-w- c:\windows\system32\pdfmona.dll
2012-05-15 01:58:42 -------- d-----w- c:\program files\pdf995
2012-05-15 01:40:58 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-05-15 01:40:58 -------- d-----w- c:\program files\Belarc
2012-05-15 00:44:57 -------- d-----w- c:\program files\VS Revo Group
2012-05-14 19:20:14 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-14 19:08:25 -------- d-----w- c:\documents and settings\owner\local settings\application data\SlimWare Utilities Inc
2012-05-14 19:08:17 -------- d-----w- c:\program files\SlimCleaner
2012-05-14 18:57:59 -------- d-----w- c:\documents and settings\owner\application data\Windows Search
2012-05-14 18:05:53 -------- d-----w- c:\documents and settings\owner\application data\Auslogics
2012-05-14 17:33:05 -------- d-----w- c:\program files\Defraggler
2012-05-14 17:28:40 -------- d-----w- c:\program files\Speccy
2012-05-14 17:24:28 -------- d-----w- c:\program files\CCleaner
2012-05-14 17:15:05 -------- d-----w- c:\program files\HD Tune
2012-05-07 16:49:04 -------- d-----w- C:\cabs
.
==================== Find3M ====================
.
2012-05-16 04:55:42 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-16 03:48:06 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x89B4FAB8]
3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000072[0x89B61338]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> \Device\Ide\IdeDeviceP0T0L0-3[0x89BA5D98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 20:31:05.70 ===============

Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/10/2011 5:03:04 PM
System Uptime: 5/19/2012 3:51:02 PM (5 hours ago)
.
Motherboard: Gateway | | Gateway M675PRR
Processor: Intel® Pentium® 4 CPU 3.00GHz | uFCPGA2 | 2992/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 25.672 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/1000 CT Network Connection
Device ID: PCI\VEN_8086&DEV_1019&SUBSYS_0603107B&REV_00\4&295E04A7&0&0818
Manufacturer: Intel
Name: Intel® PRO/1000 CT Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1019&SUBSYS_0603107B&REV_00\4&295E04A7&0&0818
Service: E1000
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\100F0A0E0B806
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\100F0A0E0B806
Service: NIC1394
.
==== System Restore Points ===================
.
RP104: 3/5/2012 7:53:48 PM - Norton Expert Toolkit before Registry Clean
RP105: 3/5/2012 9:27:09 PM - Norton Expert Toolkit before Registry Clean
RP106: 3/5/2012 9:36:18 PM - Software Distribution Service 3.0
RP107: 3/7/2012 12:08:00 PM - System Checkpoint
RP108: 3/23/2012 9:26:14 AM - Software Distribution Service 3.0
RP109: 5/7/2012 12:43:11 PM - Software Distribution Service 3.0
RP110: 5/14/2012 9:22:43 PM - Revo Uninstaller's restore point - Ask Toolbar Updater
RP111: 5/14/2012 9:23:17 PM - Revo Uninstaller's restore point - Ask Toolbar
RP112: 5/14/2012 9:23:27 PM - Removed Ask Toolbar.
RP113: 5/14/2012 9:25:38 PM - Revo Uninstaller's restore point - Ask Toolbar Updater
RP114: 5/14/2012 9:58:52 PM - Printer Driver PDF995 Printer Driver Installed
RP115: 5/14/2012 10:16:48 PM - Revo Uninstaller's restore point - Google Toolbar for Internet Explorer
RP116: 5/14/2012 10:43:16 PM - Revo Uninstaller's restore point - Dell V310-V510 Series
RP117: 5/14/2012 10:47:29 PM - Revo Uninstaller's restore point - Dell V310-V510 Series
RP118: 5/14/2012 11:14:43 PM - Revo Uninstaller's restore point - Yahoo! Toolbar
RP119: 5/14/2012 11:17:17 PM - Revo Uninstaller's restore point - Yahoo! Toolbar
RP120: 5/14/2012 11:52:11 PM - Software Distribution Service 3.0
RP121: 5/15/2012 8:01:44 AM - Installed TurboTax 2011 wrapper
RP122: 5/15/2012 8:41:28 AM - Installed TurboTax 2011 wvaiper
RP123: 5/15/2012 8:49:50 PM - Revo Uninstaller's restore point - RewardsArcade
RP124: 5/16/2012 12:54:55 AM - Removed Java™ 6 Update 24
RP125: 5/16/2012 12:58:48 AM - Software Distribution Service 3.0
RP126: 5/18/2012 10:42:23 AM - Software Distribution Service 3.0
RP127: 5/18/2012 11:33:45 PM - Software Distribution Service 3.0
RP128: 5/18/2012 11:45:43 PM - Installed ClearType Tuning Control Panel Applet
.
==== Installed Programs ======================
.
.
Leawo DVD Ripper version 4.3.0.0
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Advertising Center
Ask Toolbar Updater
ATI Display Driver
Auslogics Disk Defrag
Belarc Advisor 8.2
C-Major Audio
CCleaner
CleanUp!
ClearType Tuning Control Panel Applet
Defraggler
ERUNT 1.1j
FileHippo.com Update Checker
Google Update Helper
HandBrake 0.9.5
HD Tune 2.55
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
ImagXpress
Intel® PRO Network Connections Drivers
Java Auto Updater
Java™ 6 Update 32
K-Lite Codec Pack 8.2.0 (Full)
Malwarebytes Anti-Malware version 1.61.0.1400
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Motorola SM56 Data Fax Modem
Movie Templates - Starter Kit
Mozilla Firefox 12.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero Express Help
Nero InfoTool
Nero Installer
Nero Online Upgrade
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero Vision Help
NeroExpress
neroxml
Pdf995
Revo Uninstaller 1.94
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
SlimCleaner
Speccy
TurboTax 2011
TurboTax 2011 WinPerFedFormset
TurboTax 2011 WinPerReleaseEngine
TurboTax 2011 WinPerTaxSupport
TurboTax 2011 wrapper
TurboTax 2011 wvaiper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2641690)
VLC media player 2.0.1
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
WinRAR archiver
Xilisoft Video Converter Ultimate
XML Paper Specification Shared Components Pack 1.0
Yahoo! Software Update
ZillaTube 4.8
.
==== Event Viewer Messages From Past Week ========
.
5/18/2012 9:34:45 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
5/18/2012 2:05:50 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
5/15/2012 8:43:37 AM, error: Service Control Manager [7034] - The Intuit Update Service v4 service terminated unexpectedly. It has done this 1 time(s).
5/15/2012 7:58:00 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
5/14/2012 8:40:48 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
5/14/2012 8:40:48 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/14/2012 11:17:21 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service YahooAUService with arguments "" in order to run the server: {90AFF435-B544-4F94-A0C2-CC020EACA4E3}
5/14/2012 10:46:30 PM, error: Print [6161] - The document Pdf995 Read Me.pdf owned by Owner failed to print on printer Dell V310 Series (Network). Data type: RAW. Size of the spool file in bytes: 3344946. Number of bytes printed: 0. Total number of pages in the document: 3. Number of pages printed: 1. Client machine: \\OWNER-FE8C2F80E. Win32 error code returned by the print processor: 0 (0x0).
.
==== End Of File ===========================

Please let me know if you want Attach in a second post

Edited by joseph456, 19 May 2012 - 06:43 PM.

  • 0

#14
Dakeyras
Posted 20 May 2012 - 01:11 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Thanks for working the weekend.

You're welcome!

not sure how many restore points I should be keeping.

Leave all in place for the time being as when I give the all clear, we will flush/reset all and create a new one etc.

Also - stopped the indexing maybe that's way Windows Search is not working. Typically stop Intuit Update and jgs and juschedule from running so as to have minimum processes running.

OK, fair play...however please do not make any further changes to your system unless I advise otherwise, as that may hinder the overall malware removal process.

Next:

I noticed this now appears to be installed according to the DDS attach log:-

Ask Toolbar Updater

My advice would be to uninstall it as anything related to that particular toolbar has undesirable characteristics. If it is indeed present in Add/Remove that is.

Next:

Now the actual Rootkit/MBR check performed by DDS as part of its routine when scanning 32 bit Operating Systems is reporting a issue, namely:-

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

So I would like to check this out further, though strange it was not picked up by the awsMBR scan.

A few possibility's explaining this may be, the machine was infected in the past and a ineffectual repair of the MBR carried out and or merely replaced incorrectly somehow. Or if a recovery partition used to be in place that was removed incorrectly also.

Anyway can you inform myself exactly what make/modal is the machine as this may shed some light on the situation also.

Scan with RogueKiller:

Please download RogueKiller to your desktop

Alternate download is here.

  • Quit all running programs
  • Double-click on RogueKiller.exe to start the application.
  • Let the pre-scan complete, then click on the Scan tab
  • The RKreport.txt shall be generated next to the executable along with a zip file named RK_Quarantine.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Scan with TDSSKiller:

Please download TDSSKiller.zip and extract (unzip) it to your Desktop.

  • Double-click on TDSSKiller.exe to launch it.
  • When the window opens, click on Change Parameters
  • Under Additional options, select both Verify driver digital signitures & Detect TDLFS File System >> OK
  • Click on Start Scan, the scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • A Report will have been created by TDSSKiller in your root directory C:\
  • To find the log go to Start > My Computer > C:
  • Post the contents of that log in your next reply please.
Note: Do not have TDSSKiller remove anything if found at this point in time!
  • 0

#15
joseph456
Posted 20 May 2012 - 01:31 PM

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 455 posts
Appreciate the thoroughness.

OK, fair play...however please do not make any further changes to your system unless I advise otherwise, as that may hinder the overall malware removal process.


Can add back indexing if you think it is a good idea

One item to report - can't seem to get Internet Explorer "Auto Complete" to work (wasn't working before either). When I received the computer, IE was set at "Medium-High" for internet access. Did not make any changes.

Ask Toolbar Updater

My advice would be to uninstall it as anything related to that particular toolbar has undesirable characteristics. If it is indeed present in Add/Remove that is.


Could not remove using add/remove programs. I have attached screenshot from Add/Remove Programs. askupdater.JPG

Then tried Revo Uninstaller and received this: Ask Uninstaller Revo.JPG

When I continued received option to remove these registry items which I bypassed (cancelled) pending your advice: Ask Uninstaller Revo Registry Items.JPG

Can still run and remove if suggested.

Anyway can you inform myself exactly what make/modal is the machine as this may shed some light on the situation also.


Gateway M675 PRR. Here is more detail from Speccy: Speccy Snapshot.JPG

Please post the contents of the RKreport.txt in your next Reply.


RogueKiller V7.4.5 [05/18/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan -- Date: 05/20/2012 12:34:38

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] TDSSKiller.exe -- C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.609\TDSSKiller.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
ÿ₫1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: IC25N040ATMR04-0 +++++
--- User ---
[MBR] 352c0394a59f3335b48ea5ac51c0e812
[BSP] 1a31c6e198c07ae4fde6f1b9e53b97ae : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

Scan with TDSSKiller: Post the contents of that log in your next reply please.


12:37:39.0109 3544 TDSS rootkit removing tool 2.7.35.0 May 16 2012 07:37:57
12:37:39.0421 3544 ============================================================
12:37:39.0421 3544 Current date / time: 2012/05/20 12:37:39.0421
12:37:39.0421 3544 SystemInfo:
12:37:39.0421 3544
12:37:39.0421 3544 OS Version: 5.1.2600 ServicePack: 3.0
12:37:39.0421 3544 Product type: Workstation
12:37:39.0421 3544 ComputerName: OWNER-FE8C2F80E
12:37:39.0421 3544 UserName: Owner
12:37:39.0421 3544 Windows directory: C:\WINDOWS
12:37:39.0421 3544 System windows directory: C:\WINDOWS
12:37:39.0421 3544 Processor architecture: Intel x86
12:37:39.0421 3544 Number of processors: 2
12:37:39.0421 3544 Page size: 0x1000
12:37:39.0421 3544 Boot type: Normal boot
12:37:39.0421 3544 ============================================================
12:37:39.0734 3544 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
12:37:39.0750 3544 ============================================================
12:37:39.0750 3544 \Device\Harddisk0\DR0:
12:37:39.0750 3544 MBR partitions:
12:37:39.0750 3544 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A81400
12:37:39.0750 3544 ============================================================
12:37:39.0765 3544 C: <-> \Device\Harddisk0\DR0\Partition0
12:37:39.0765 3544 ============================================================
12:37:39.0765 3544 Initialize success
12:37:39.0765 3544 ============================================================
12:38:04.0562 2228 ============================================================
12:38:04.0562 2228 Scan started
12:38:04.0562 2228 Mode: Manual; SigCheck; TDLFS;
12:38:04.0562 2228 ============================================================
12:38:04.0843 2228 Abiosdsk - ok
12:38:04.0859 2228 abp480n5 - ok
12:38:04.0890 2228 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:38:05.0406 2228 ACPI - ok
12:38:05.0484 2228 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
12:38:05.0625 2228 ACPIEC - ok
12:38:05.0640 2228 adpu160m - ok
12:38:05.0671 2228 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:38:05.0843 2228 aec - ok
12:38:05.0875 2228 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:38:05.0937 2228 AFD - ok
12:38:05.0968 2228 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
12:38:06.0140 2228 agp440 - ok
12:38:06.0140 2228 Aha154x - ok
12:38:06.0156 2228 aic78u2 - ok
12:38:06.0171 2228 aic78xx - ok
12:38:06.0265 2228 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
12:38:06.0437 2228 Alerter - ok
12:38:06.0453 2228 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
12:38:06.0515 2228 ALG - ok
12:38:06.0531 2228 AliIde - ok
12:38:06.0531 2228 amsint - ok
12:38:06.0578 2228 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
12:38:06.0640 2228 AppMgmt - ok
12:38:06.0671 2228 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:38:06.0812 2228 Arp1394 - ok
12:38:06.0828 2228 asc - ok
12:38:06.0843 2228 asc3350p - ok
12:38:06.0843 2228 asc3550 - ok
12:38:07.0046 2228 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
12:38:07.0062 2228 aspnet_state - ok
12:38:07.0109 2228 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:38:07.0265 2228 AsyncMac - ok
12:38:07.0375 2228 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:38:07.0531 2228 atapi - ok
12:38:07.0531 2228 Atdisk - ok
12:38:07.0593 2228 Ati HotKey Poller (a2093ed04d20f3aca0c0d348234c6998) C:\WINDOWS\system32\Ati2evxx.exe
12:38:07.0671 2228 Ati HotKey Poller - ok
12:38:07.0750 2228 ati2mtag (99f6db087497f55d5f8d971f7689f054) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
12:38:07.0843 2228 ati2mtag - ok
12:38:07.0890 2228 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:38:08.0046 2228 Atmarpc - ok
12:38:08.0078 2228 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
12:38:08.0281 2228 AudioSrv - ok
12:38:08.0375 2228 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:38:08.0531 2228 audstub - ok
12:38:08.0578 2228 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
12:38:08.0593 2228 BANTExt ( UnsignedFile.Multi.Generic ) - warning
12:38:08.0593 2228 BANTExt - detected UnsignedFile.Multi.Generic (1)
12:38:08.0640 2228 BCM43XX (ebf36d658d0da5b1ea667fa403919c26) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
12:38:08.0703 2228 BCM43XX - ok
12:38:08.0750 2228 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:38:08.0906 2228 Beep - ok
12:38:08.0968 2228 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
12:38:09.0203 2228 BITS - ok
12:38:09.0250 2228 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
12:38:09.0453 2228 Browser - ok
12:38:09.0687 2228 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:38:09.0937 2228 cbidf2k - ok
12:38:09.0953 2228 cd20xrnt - ok
12:38:10.0078 2228 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:38:10.0265 2228 Cdaudio - ok
12:38:10.0375 2228 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:38:10.0515 2228 Cdfs - ok
12:38:10.0562 2228 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:38:10.0734 2228 Cdrom - ok
12:38:10.0750 2228 Changer - ok
12:38:10.0859 2228 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
12:38:11.0046 2228 CiSvc - ok
12:38:11.0078 2228 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
12:38:11.0296 2228 ClipSrv - ok
12:38:11.0375 2228 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:38:11.0406 2228 clr_optimization_v2.0.50727_32 - ok
12:38:11.0453 2228 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
12:38:11.0468 2228 clr_optimization_v4.0.30319_32 - ok
12:38:11.0500 2228 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
12:38:11.0687 2228 CmBatt - ok
12:38:11.0687 2228 CmdIde - ok
12:38:11.0718 2228 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
12:38:11.0906 2228 Compbatt - ok
12:38:11.0906 2228 COMSysApp - ok
12:38:11.0921 2228 Cpqarray - ok
12:38:12.0062 2228 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
12:38:12.0250 2228 CryptSvc - ok
12:38:12.0250 2228 dac2w2k - ok
12:38:12.0265 2228 dac960nt - ok
12:38:12.0375 2228 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
12:38:12.0453 2228 DcomLaunch - ok
12:38:12.0484 2228 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
12:38:12.0656 2228 Dhcp - ok
12:38:12.0765 2228 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:38:12.0937 2228 Disk - ok
12:38:12.0937 2228 dmadmin - ok
12:38:13.0109 2228 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:38:13.0312 2228 dmboot - ok
12:38:13.0343 2228 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:38:13.0515 2228 dmio - ok
12:38:13.0546 2228 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:38:13.0703 2228 dmload - ok
12:38:13.0718 2228 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
12:38:13.0937 2228 dmserver - ok
12:38:14.0078 2228 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:38:14.0250 2228 DMusic - ok
12:38:14.0359 2228 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
12:38:14.0421 2228 Dnscache - ok
12:38:14.0453 2228 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
12:38:14.0671 2228 Dot3svc - ok
12:38:14.0687 2228 dpti2o - ok
12:38:14.0718 2228 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:38:14.0875 2228 drmkaud - ok
12:38:14.0906 2228 E1000 (d94437e7ee086677b266099f695cdea1) C:\WINDOWS\system32\DRIVERS\e1000325.sys
12:38:14.0968 2228 E1000 - ok
12:38:15.0062 2228 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
12:38:15.0281 2228 EapHost - ok
12:38:15.0296 2228 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
12:38:15.0500 2228 ERSvc - ok
12:38:15.0765 2228 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:38:15.0812 2228 Eventlog - ok
12:38:15.0843 2228 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
12:38:15.0921 2228 EventSystem - ok
12:38:15.0968 2228 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:38:16.0125 2228 Fastfat - ok
12:38:16.0250 2228 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:38:16.0328 2228 FastUserSwitchingCompatibility - ok
12:38:16.0375 2228 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:38:16.0546 2228 Fdc - ok
12:38:16.0640 2228 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:38:16.0796 2228 Fips - ok
12:38:16.0812 2228 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:38:16.0984 2228 Flpydisk - ok
12:38:17.0046 2228 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
12:38:17.0203 2228 FltMgr - ok
12:38:17.0312 2228 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
12:38:17.0328 2228 FontCache3.0.0.0 - ok
12:38:17.0375 2228 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:38:17.0531 2228 Fs_Rec - ok
12:38:17.0625 2228 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:38:17.0796 2228 Ftdisk - ok
12:38:17.0828 2228 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:38:17.0984 2228 Gpc - ok
12:38:18.0125 2228 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
12:38:18.0140 2228 gupdate - ok
12:38:18.0156 2228 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
12:38:18.0171 2228 gupdatem - ok
12:38:18.0234 2228 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
12:38:18.0421 2228 helpsvc - ok
12:38:18.0437 2228 HidServ - ok
12:38:18.0546 2228 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:38:18.0718 2228 HidUsb - ok
12:38:18.0843 2228 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
12:38:19.0062 2228 hkmsvc - ok
12:38:19.0062 2228 hpn - ok
12:38:19.0109 2228 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:38:19.0140 2228 HTTP - ok
12:38:19.0187 2228 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
12:38:19.0375 2228 HTTPFilter - ok
12:38:19.0390 2228 i2omgmt - ok
12:38:19.0390 2228 i2omp - ok
12:38:19.0437 2228 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:38:19.0609 2228 i8042prt - ok
12:38:19.0812 2228 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
12:38:19.0859 2228 idsvc - ok
12:38:19.0906 2228 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:38:20.0062 2228 Imapi - ok
12:38:20.0140 2228 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
12:38:20.0359 2228 ImapiService - ok
12:38:20.0375 2228 ini910u - ok
12:38:20.0406 2228 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:38:20.0578 2228 IntelIde - ok
12:38:20.0625 2228 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:38:20.0765 2228 intelppm - ok
12:38:20.0859 2228 IntuitUpdateServiceV4 (1663a135865f0ba6e853353e98e67f2a) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
12:38:20.0875 2228 IntuitUpdateServiceV4 - ok
12:38:20.0906 2228 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
12:38:21.0078 2228 Ip6Fw - ok
12:38:21.0109 2228 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:38:21.0281 2228 IpFilterDriver - ok
12:38:21.0281 2228 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:38:21.0437 2228 IpInIp - ok
12:38:21.0468 2228 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:38:21.0625 2228 IpNat - ok
12:38:21.0703 2228 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:38:21.0937 2228 IPSec - ok
12:38:22.0031 2228 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:38:22.0125 2228 IRENUM - ok
12:38:22.0156 2228 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:38:22.0359 2228 isapnp - ok
12:38:22.0468 2228 JavaQuickStarterService (a38441ed570f190cc041a7be49488fa7) C:\Program Files\Java\jre6\bin\jqs.exe
12:38:22.0484 2228 JavaQuickStarterService - ok
12:38:22.0515 2228 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:38:22.0671 2228 Kbdclass - ok
12:38:22.0718 2228 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:38:22.0875 2228 kmixer - ok
12:38:22.0921 2228 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:38:22.0984 2228 KSecDD - ok
12:38:23.0046 2228 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
12:38:23.0093 2228 LanmanServer - ok
12:38:23.0140 2228 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
12:38:23.0187 2228 lanmanworkstation - ok
12:38:23.0203 2228 lbrtfdc - ok
12:38:23.0250 2228 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
12:38:23.0437 2228 LmHosts - ok
12:38:23.0453 2228 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
12:38:23.0625 2228 Messenger - ok
12:38:23.0656 2228 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:38:23.0828 2228 mnmdd - ok
12:38:23.0859 2228 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
12:38:24.0062 2228 mnmsrvc - ok
12:38:24.0093 2228 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:38:24.0265 2228 Modem - ok
12:38:24.0281 2228 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:38:24.0437 2228 Mouclass - ok
12:38:24.0484 2228 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:38:24.0640 2228 mouhid - ok
12:38:24.0671 2228 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:38:24.0859 2228 MountMgr - ok
12:38:24.0890 2228 MpFilter (d993bea500e7382dc4e760bf4f35efcb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
12:38:24.0921 2228 MpFilter - ok
12:38:25.0218 2228 MpKsl8ca676ec (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{965E7061-AB6B-4E98-A636-8CE4614BB58D}\MpKsl8ca676ec.sys
12:38:25.0250 2228 MpKsl8ca676ec - ok
12:38:25.0250 2228 mraid35x - ok
12:38:25.0281 2228 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:38:25.0421 2228 MRxDAV - ok
12:38:25.0484 2228 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:38:25.0562 2228 MRxSmb - ok
12:38:25.0593 2228 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
12:38:25.0781 2228 MSDTC - ok
12:38:25.0906 2228 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:38:26.0078 2228 Msfs - ok
12:38:26.0078 2228 MSIServer - ok
12:38:26.0109 2228 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:38:26.0265 2228 MSKSSRV - ok
12:38:26.0343 2228 MsMpSvc (24516bf4e12a46cb67302e2cdcb8cddf) c:\Program Files\Microsoft Security Client\MsMpEng.exe
12:38:26.0375 2228 MsMpSvc - ok
12:38:26.0390 2228 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:38:26.0562 2228 MSPCLOCK - ok
12:38:26.0593 2228 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:38:26.0718 2228 MSPQM - ok
12:38:26.0765 2228 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:38:26.0921 2228 mssmbios - ok
12:38:26.0968 2228 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:38:27.0015 2228 Mup - ok
12:38:27.0093 2228 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
12:38:27.0312 2228 napagent - ok
12:38:27.0359 2228 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:38:27.0500 2228 NDIS - ok
12:38:27.0640 2228 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:38:27.0781 2228 NdisTapi - ok
12:38:27.0828 2228 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:38:27.0984 2228 Ndisuio - ok
12:38:28.0156 2228 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:38:28.0328 2228 NdisWan - ok
12:38:28.0359 2228 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:38:28.0406 2228 NDProxy - ok
12:38:28.0562 2228 Nero BackItUp Scheduler 4.0 (0ff3c6aa3e0fe0eb316df5449b569463) C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
12:38:28.0609 2228 Nero BackItUp Scheduler 4.0 - ok
12:38:28.0640 2228 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:38:28.0828 2228 NetBIOS - ok
12:38:28.0859 2228 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:38:29.0000 2228 NetBT - ok
12:38:29.0109 2228 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:38:29.0328 2228 NetDDE - ok
12:38:29.0343 2228 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:38:29.0484 2228 NetDDEdsdm - ok
12:38:29.0531 2228 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:38:29.0687 2228 Netlogon - ok
12:38:29.0796 2228 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
12:38:29.0953 2228 Netman - ok
12:38:30.0125 2228 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
12:38:30.0156 2228 NetTcpPortSharing - ok
12:38:30.0187 2228 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:38:30.0390 2228 NIC1394 - ok
12:38:30.0484 2228 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
12:38:30.0531 2228 Nla - ok
12:38:30.0562 2228 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:38:30.0703 2228 Npfs - ok
12:38:30.0750 2228 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:38:30.0921 2228 Ntfs - ok
12:38:30.0921 2228 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:38:31.0062 2228 NtLmSsp - ok
12:38:31.0171 2228 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
12:38:31.0375 2228 NtmsSvc - ok
12:38:31.0484 2228 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:38:31.0671 2228 Null - ok
12:38:31.0796 2228 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:38:31.0984 2228 NwlnkFlt - ok
12:38:31.0984 2228 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:38:32.0140 2228 NwlnkFwd - ok
12:38:32.0187 2228 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:38:32.0343 2228 ohci1394 - ok
12:38:32.0406 2228 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:38:32.0562 2228 Parport - ok
12:38:32.0671 2228 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:38:32.0843 2228 PartMgr - ok
12:38:32.0890 2228 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:38:33.0046 2228 ParVdm - ok
12:38:33.0093 2228 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:38:33.0250 2228 PCI - ok
12:38:33.0250 2228 PCIDump - ok
12:38:33.0390 2228 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
12:38:33.0531 2228 PCIIde - ok
12:38:33.0765 2228 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
12:38:33.0921 2228 Pcmcia - ok
12:38:33.0921 2228 PDCOMP - ok
12:38:33.0937 2228 PDFRAME - ok
12:38:33.0937 2228 PDRELI - ok
12:38:33.0953 2228 PDRFRAME - ok
12:38:33.0968 2228 perc2 - ok
12:38:33.0968 2228 perc2hib - ok
12:38:34.0093 2228 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:38:34.0125 2228 PlugPlay - ok
12:38:34.0125 2228 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:38:34.0265 2228 PolicyAgent - ok
12:38:34.0375 2228 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:38:34.0546 2228 PptpMiniport - ok
12:38:34.0562 2228 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:38:34.0703 2228 ProtectedStorage - ok
12:38:34.0734 2228 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:38:34.0890 2228 PSched - ok
12:38:34.0937 2228 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:38:35.0093 2228 Ptilink - ok
12:38:35.0109 2228 ql1080 - ok
12:38:35.0109 2228 Ql10wnt - ok
12:38:35.0125 2228 ql12160 - ok
12:38:35.0125 2228 ql1240 - ok
12:38:35.0140 2228 ql1280 - ok
12:38:35.0250 2228 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:38:35.0390 2228 RasAcd - ok
12:38:35.0421 2228 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
12:38:35.0593 2228 RasAuto - ok
12:38:35.0625 2228 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:38:35.0781 2228 Rasl2tp - ok
12:38:35.0812 2228 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
12:38:36.0000 2228 RasMan - ok
12:38:36.0078 2228 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:38:36.0234 2228 RasPppoe - ok
12:38:36.0359 2228 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:38:36.0515 2228 Raspti - ok
12:38:36.0546 2228 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:38:36.0718 2228 Rdbss - ok
12:38:36.0734 2228 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:38:36.0890 2228 RDPCDD - ok
12:38:36.0937 2228 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:38:37.0093 2228 rdpdr - ok
12:38:37.0125 2228 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
12:38:37.0187 2228 RDPWD - ok
12:38:37.0234 2228 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
12:38:37.0453 2228 RDSessMgr - ok
12:38:37.0562 2228 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:38:37.0718 2228 redbook - ok
12:38:37.0750 2228 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
12:38:37.0937 2228 RemoteAccess - ok
12:38:38.0093 2228 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
12:38:38.0281 2228 RemoteRegistry - ok
12:38:38.0328 2228 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
12:38:38.0515 2228 RpcLocator - ok
12:38:38.0562 2228 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
12:38:38.0593 2228 RpcSs - ok
12:38:38.0640 2228 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
12:38:38.0859 2228 RSVP - ok
12:38:38.0890 2228 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:38:39.0031 2228 SamSs - ok
12:38:39.0078 2228 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
12:38:39.0281 2228 SCardSvr - ok
12:38:39.0328 2228 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
12:38:39.0515 2228 Schedule - ok
12:38:39.0750 2228 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:38:39.0828 2228 Secdrv - ok
12:38:39.0875 2228 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
12:38:40.0062 2228 seclogon - ok
12:38:40.0078 2228 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
12:38:40.0265 2228 SENS - ok
12:38:40.0312 2228 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
12:38:40.0468 2228 Serial - ok
12:38:40.0531 2228 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:38:40.0687 2228 Sfloppy - ok
12:38:40.0734 2228 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
12:38:40.0968 2228 SharedAccess - ok
12:38:41.0031 2228 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:38:41.0046 2228 ShellHWDetection - ok
12:38:41.0046 2228 Simbad - ok
12:38:41.0125 2228 smserial (0eb62cdf4168c49e7568fd544f05d0f1) C:\WINDOWS\system32\DRIVERS\smserial.sys
12:38:41.0234 2228 smserial - ok
12:38:41.0250 2228 Sparrow - ok
12:38:41.0281 2228 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:38:41.0453 2228 splitter - ok
12:38:41.0546 2228 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
12:38:41.0593 2228 Spooler - ok
12:38:41.0640 2228 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:38:41.0718 2228 sr - ok
12:38:41.0750 2228 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
12:38:41.0875 2228 srservice - ok
12:38:41.0921 2228 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:38:42.0000 2228 Srv - ok
12:38:42.0093 2228 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
12:38:42.0203 2228 SSDPSRV - ok
12:38:42.0250 2228 STAC97 (511210dce8564f6bc923ceb6084bd54b) C:\WINDOWS\system32\drivers\STAC97.sys
12:38:42.0296 2228 STAC97 - ok
12:38:42.0343 2228 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
12:38:42.0578 2228 stisvc - ok
12:38:42.0609 2228 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:38:42.0781 2228 swenum - ok
12:38:42.0812 2228 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:38:43.0000 2228 swmidi - ok
12:38:43.0000 2228 SwPrv - ok
12:38:43.0015 2228 symc810 - ok
12:38:43.0015 2228 symc8xx - ok
12:38:43.0031 2228 sym_hi - ok
12:38:43.0046 2228 sym_u3 - ok
12:38:43.0078 2228 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:38:43.0234 2228 sysaudio - ok
12:38:43.0343 2228 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
12:38:43.0562 2228 SysmonLog - ok
12:38:43.0656 2228 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
12:38:43.0828 2228 TapiSrv - ok
12:38:43.0953 2228 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:38:44.0015 2228 Tcpip - ok
12:38:44.0109 2228 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:38:44.0265 2228 TDPIPE - ok
12:38:44.0281 2228 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:38:44.0437 2228 TDTCP - ok
12:38:44.0453 2228 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:38:44.0625 2228 TermDD - ok
12:38:44.0671 2228 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
12:38:44.0859 2228 TermService - ok
12:38:44.0890 2228 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:38:44.0906 2228 Themes - ok
12:38:44.0953 2228 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
12:38:45.0078 2228 TlntSvr - ok
12:38:45.0078 2228 TosIde - ok
12:38:45.0125 2228 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
12:38:45.0312 2228 TrkWks - ok
12:38:45.0343 2228 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:38:45.0500 2228 Udfs - ok
12:38:45.0515 2228 ultra - ok
12:38:45.0796 2228 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:38:45.0984 2228 Update - ok
12:38:46.0046 2228 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
12:38:46.0156 2228 upnphost - ok
12:38:46.0187 2228 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
12:38:46.0421 2228 UPS - ok
12:38:46.0468 2228 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:38:46.0625 2228 usbccgp - ok
12:38:46.0671 2228 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:38:46.0812 2228 usbehci - ok
12:38:46.0843 2228 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:38:47.0000 2228 usbhub - ok
12:38:47.0093 2228 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:38:47.0234 2228 usbprint - ok
12:38:47.0265 2228 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:38:47.0421 2228 usbscan - ok
12:38:47.0468 2228 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:38:47.0640 2228 USBSTOR - ok
12:38:47.0656 2228 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:38:47.0796 2228 usbuhci - ok
12:38:47.0843 2228 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:38:48.0015 2228 VgaSave - ok
12:38:48.0015 2228 ViaIde - ok
12:38:48.0078 2228 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:38:48.0250 2228 VolSnap - ok
12:38:48.0296 2228 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
12:38:48.0437 2228 VSS - ok
12:38:48.0468 2228 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
12:38:48.0656 2228 W32Time - ok
12:38:48.0687 2228 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:38:48.0843 2228 Wanarp - ok
12:38:48.0843 2228 WDICA - ok
12:38:48.0890 2228 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:38:49.0046 2228 wdmaud - ok
12:38:49.0093 2228 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
12:38:49.0281 2228 WebClient - ok
12:38:49.0375 2228 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
12:38:49.0562 2228 winmgmt - ok
12:38:49.0656 2228 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
12:38:49.0828 2228 WinRM - ok
12:38:49.0875 2228 WmdmPmSN (051b1bdecd6dee18c771b5d5ec7f044d) C:\WINDOWS\system32\MsPMSNSv.dll
12:38:50.0015 2228 WmdmPmSN - ok
12:38:50.0171 2228 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
12:38:50.0250 2228 Wmi - ok
12:38:50.0343 2228 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
12:38:50.0578 2228 WmiApSrv - ok
12:38:50.0687 2228 WMPNetworkSvc (6bab4dc65515a098505f8b3d01fb6fe5) C:\Program Files\Windows Media Player\WMPNetwk.exe
12:38:51.0109 2228 WMPNetworkSvc - ok
12:38:51.0281 2228 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
12:38:51.0328 2228 WPFFontCache_v0400 - ok
12:38:51.0421 2228 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
12:38:51.0625 2228 wscsvc - ok
12:38:51.0625 2228 WSearch - ok
12:38:51.0687 2228 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
12:38:51.0890 2228 wuauserv - ok
12:38:51.0953 2228 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:38:52.0000 2228 WudfPf - ok
12:38:52.0046 2228 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:38:52.0125 2228 WudfRd - ok
12:38:52.0140 2228 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
12:38:52.0187 2228 WudfSvc - ok
12:38:52.0234 2228 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
12:38:52.0421 2228 WZCSVC - ok
12:38:52.0453 2228 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
12:38:52.0640 2228 xmlprov - ok
12:38:52.0734 2228 YahooAUService (dd0042f0c3b606a6a8b92d49afb18ad6) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
12:38:52.0781 2228 YahooAUService - ok
12:38:52.0812 2228 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:38:53.0453 2228 \Device\Harddisk0\DR0 - ok
12:38:53.0484 2228 Boot (0x1200) (cc7d888e86a3cc8b558ece8f871b0bf7) \Device\Harddisk0\DR0\Partition0
12:38:53.0484 2228 \Device\Harddisk0\DR0\Partition0 - ok
12:38:53.0484 2228 ============================================================
12:38:53.0484 2228 Scan finished
12:38:53.0484 2228 ============================================================
12:38:53.0593 1580 Detected object count: 1
12:38:53.0593 1580 Actual detected object count: 1
12:39:35.0312 1580 BANTExt ( UnsignedFile.Multi.Generic ) - skipped by user
12:39:35.0312 1580 BANTExt ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:39:39.0171 2516 Deinitialize success

This was also there:

12:37:13.0546 1920 TDSS rootkit removing tool 2.7.35.0 May 16 2012 07:37:57
12:37:13.0906 1920 ============================================================
12:37:13.0906 1920 Current date / time: 2012/05/20 12:37:13.0906
12:37:13.0906 1920 SystemInfo:
12:37:13.0906 1920
12:37:13.0906 1920 OS Version: 5.1.2600 ServicePack: 3.0
12:37:13.0906 1920 Product type: Workstation
12:37:13.0906 1920 ComputerName: OWNER-FE8C2F80E
12:37:13.0906 1920 UserName: Owner
12:37:13.0906 1920 Windows directory: C:\WINDOWS
12:37:13.0906 1920 System windows directory: C:\WINDOWS
12:37:13.0906 1920 Processor architecture: Intel x86
12:37:13.0906 1920 Number of processors: 2
12:37:13.0906 1920 Page size: 0x1000
12:37:13.0906 1920 Boot type: Normal boot
12:37:13.0906 1920 ============================================================
12:37:14.0984 1920 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
12:37:14.0984 1920 ============================================================
12:37:14.0984 1920 \Device\Harddisk0\DR0:
12:37:14.0984 1920 MBR partitions:
12:37:14.0984 1920 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A81400
12:37:14.0984 1920 ============================================================
12:37:15.0015 1920 C: <-> \Device\Harddisk0\DR0\Partition0
12:37:15.0015 1920 ============================================================
12:37:15.0015 1920 Initialize success
12:37:15.0015 1920 ============================================================
12:37:20.0218 0164 Deinitialize success

Should I leave both these reports in the root drive?

Also - thought you should see this folder that RK placed on the desktop named RK Quarantine:

Thanks!

Edited by joseph456, 20 May 2012 - 02:24 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP